By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,939 Members | 1,565 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,939 IT Pros & Developers. It's quick & easy.

volunteer

P: n/a
Lal
Any volunteer to test a PHP+MySQL based website's vulnerability?

Thanks, Lal

Feb 25 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Following on from Lal's message. . .
Any volunteer to test a PHP+MySQL based website's vulnerability?

Thanks, Lal

You're right to be concerned but going about it the wrong way.

*You* need to be the one dealing with the security. *You* need to
_understand_ the threats before you can deal with them. There are
plenty of on-line resources on PHP/MySQL and security to deal with the
protection /mechanisms/ ...
....but only you can understand the /context/ in order to build a
security model. Only you can list the bad things that could happen in
order to deal with them in depth.

--
PETER FOX Not the same since the submarine business went under
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Feb 25 '06 #2

P: n/a
Peter Fox wrote:
. . .
*You* need to be the one dealing with the security. *You* need to
_understand_ the threats before you can deal with them. There are
plenty of on-line resources on PHP/MySQL and security to deal with the
protection /mechanisms/ ...
...but only you can understand the /context/ in order to build a
security model. Only you can list the bad things that could happen in
order to deal with them in depth.

Well, yes. You are right. The problem with security is, however, that
there is bound to be a hacker that understands more than you do.

So let me add one thing to the above (as you should take a really good
interest in security):

Know What You Are Doing.

I don't mean as a programmer. You, as a programmer, don't do unexpected
things, like giving passwords away or sending unwanted emails. Your
application does. So I am really saying this to your application: Know
What You Are Doing.
As a programmer, I want to know when things go wrong. Things that go
wrong are usually my fault or at least my responsibility, so I want to
know. Therefore I log errors.
For one of my last applications (which was thrown over the wall after
being set up without any documentation), I had so many things to deal
with that I enhanced my database class to just log all SQL commands,
along with the site input. Not only the bad commands. I found this a
great help, even when there were no more SQL errors. It showed all
errors in input as well. So I knew what my application had done. If your
site traffic is not too high, I can only suggest that you run a
"general" log also. You can empty it once in a while if it gets too big,
and when some security issue presents itself, you can search the logs
and see how it was done.
Off course, this can be expanded to not only database issues, but e-mail
traffic and other applications as well. This is where your notion of
context must come in.

So learn about security, from books, colleagues, web sites, AND your own
applications. If something goes wrong, just find out and learn from the
hackers themselves.

Good luck!
Feb 25 '06 #3

P: n/a
Peter Fox wrote:
You're right to be concerned but going about it the wrong way.

*You* need to be the one dealing with the security. *You* need to
_understand_ the threats before you can deal with them. There are
plenty of on-line resources on PHP/MySQL and security to deal with the
protection /mechanisms/ ...
...but only you can understand the /context/ in order to build a
security model. Only you can list the bad things that could happen in
order to deal with them in depth.


One can hardly rely on programmers to write 100% secured--or for that
matter, functional--code. It's a good idea to have a second pair of
eyes to look for potential issues. The notion that someone would do
this for free is, of course, completely absurd. It's as though SQA is
not a real profession.

Feb 25 '06 #4

P: n/a
NC
Lal wrote:

Any volunteer to test a PHP+MySQL based website's vulnerability?


Get a copy of Nessus:

http://www.nessus.org/

and test your heart out automatically...

Cheers,
NC

Feb 25 '06 #5

P: n/a
Lal
Thanks for all the great suggesstions. Whats a real profession? :-D If
free is to the word to question professionalism, then php, mysql, and
many others will all be unprofessional? :-D Just a thought. Lol. Thanks
again, nice advises

Mar 6 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.